NodeJS OAuth2.0 原理 [英] NodeJS OAuth2.0 principles
问题描述
最近我在做一个 nodeJS 项目,我在思考如何着手和实现我的移动应用程序的安全模块.我以前在 C# 项目中使用过 OAuth 2.0 协议的经验.
Recently I was working on a nodeJS project and I was thinking how to go about and implement the security module of my mobile application. I had a previous experience from OAuth 2.0 protocol which I used in C# projects in the past.
.NET 中有两个不错的开源项目
In .NET there are two nice open source project
- https://github.com/thinktecture/Thinktecture.IdentityServer.v3
- https://github.com/thinktecture/Thinktecture.AuthorizationServer
前者是支持联合身份验证的身份提供者,后者是 OAuth 2.0 提供者.
The former is an Identity Provider supporting federated authentication and the later is an OAuth 2.0 provider.
所以我决定为我的 nodeJS 应用程序使用相同的安全基础设施.但据我所知,没有什么能与这些项目相提并论.
So I decided to employ the same security infrastructure for my nodeJS app. But as far as I know, there is nothing equivalent to those projects.
我发现了一些非常好的项目,这些项目还没有完成,但这是一个好的开始:
I found some really nice project, which are not yet complete but are a good start:
此外,我看到了一篇很好的文章,它提出了一种在 nodeJS 中处理身份验证的好方法.https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ 以及对 stackoverflow 上的问题的类似回答.网站和自有网站之间的身份验证应用程序接口
In addition, I came across a nice article that suggests a nice way to deal with authentication in nodeJS. https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ and a similar answer to a questtion on stackoverflow. Auth between a website and self-owned API
据我所知,expressJwt 保护我们的 api,基本上会验证用户发送的访问令牌.但我想更进一步,将令牌与特定于应用程序的范围相关联,就像使用 OAuth2.0 协议一样.例如,我想分配写入、读取等范围,并让 expressJwt 检查用户的令牌是否具有作为特定 API 端点访问所需的范围.
From what I understood, expressJwt guards our api's and basically will validate the access token sent by the user. But I'd like to go a step further, and associate a token with app specific scopes, in a similar way that one would do with the OAuth2.0 protocol. So for example, I would like to assign a write, read etc. scopes and have expressJwt check if the user's token has the required scopes to access as specific API endpoint.
如果您能就如何处理这个话题向我提供一些建议,我将不胜感激.
I would be grateful if you could provide me with some suggestions about how to deal with this topic.
推荐答案
首先,您需要生成具有此类声明的令牌.这可能在 API 或其他地方:
First, you need to generate a token with such claims. This could be in an API or some other place:
var jwt = require('jsonwebtoken');
var claims = {
name: user.name
can_write: true,
can_post_timeline: false
};
var token = jwt.sign(claims, 'my-super-secret');
然后,为了验证您将执行以下操作:
Then, to validate you will do something like this:
var jwt = require('express-jwt');
app.use(jwt({secret: 'my-super-secret'}));
function require_time_line_access (req, res, next) {
if (!req.user.can_post_timeline) return res.send(401);
next();
}
app.post('/timeline',
require_time_line_access,
function(req, res) {
//do timeline stuff
});
express-jwt
验证令牌的签名、到期时间和其他一些事情.如果一切正常,则将解码后的令牌放入 req.user
,如果不正常则返回 401.
express-jwt
validates the signature of the token, expiration and few other things. If everything is okay it puts the decoded token in req.user
, and if is not okay it returns 401.
require_time_line_access
是确保用户拥有此声明的中间件,如果没有,则返回 401.您可以将此中间件放在需要此声明的每个端点中.
require_time_line_access
is a middleware that ensure the user has this claim, if it doesnt it returns 401. You can put this middleware in every endpoint that needs this claim.
这篇关于NodeJS OAuth2.0 原理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!